In the aftermath of last Friday’s massive Distributed Denial of Service (DDoS) attack, U.S. Sen. Mark Warner (D-VA) is asking the Federal Communications Commission to crack down on the proliferation of insecure Internet-connected devices.

Warner is a member of the Senate Select Committee on Intelligence and co-founder of the bipartisan Senate Cybersecurity Caucus.

The market for Internet of Things (IoT) products, such as connected refrigerators, smart thermostats and Internet-enabled cameras, is growing rapidly, Warner said. Weak security features can provide access to user data by hackers, creating easy entry points to home or work networks, and allowing hackers to hijack devices into “enormous botnets used to send crippling amounts of data to specific Internet sites and servers,” he said.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” he said. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”

In a letter this week to FCC Chairman Tom Wheeler, Warner said Level 3 Communications is tracking the “Mirai botnet,” which has more than doubled since the source code was first made public on Oct. 1.

“The Mirai botnet functions by taking control of highly insecure devices, such as IoT products, and [uses] them to send debilitating levels of network traffic from these compromised devices to particular sites, web-hosting servers, and Internet infrastructure providers,” he said. “By infecting consumer devices with this malware, attackers can hijack the communications capabilities of users’ devices, using large numbers of them to flood sites and servers with overwhelming traffic.”{ad}

Mirai’s effectiveness depends, in large part, on the “unacceptably low level of security inherent in a vast array of network devices,” Warner said. Attackers perform wide-ranging scans of IP addresses, searching for devices with poor security features such as factory default or unchangeable passwords, publicly accessible remote administration ports and susceptibility to brute force attacks, he said.

Dale Drew, Level 3’s chief security officer, said Mirai was involved in last Friday’s attack, with “bad guys going through legitimate DNS (domain name servers) providers and … making a significant number of queries, (such as) show me all the hosts that are on this domain, and making a tremendous number of …

{vpipagebreak}

… queries to the DNS provider victim. That victim is getting hit with so many of what looks like legitimate DNS queries that they’re getting completely overwhelmed and cannot answer legitimate queries from real customers.”

According to the FCC’s Open Internet rules, Internet service providers (ISPs) cannot prohibit the attachment of non-harmful devices to their networks. Warner said it “seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the network — whether the ISP’s own network or the networks to which it is connected.”

“While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to (ISPs) in this area,” he said.

Specifically, Warner asks Wheeler if it would it be a “reasonable network-management practice for ISPs to designate insecure network devices as ‘insecure’ and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses.” He also asked what strategies the FCC would pursue to take devices deemed harmful to the network out of the stream of commerce.

“Are there remediation procedures vendors can take, such as patching?” he said. “What strategy would you pursue to deactivate or recall the embedded base of consumer devices?”

Warner said he is interested in a “range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers.”